Process Flow - VPC Service Controls

Start: Define Service Perimeter

↓

Select Google Cloud Services

↓

Add Resources to Perimeter

↓

Enforce Access Restrictions

↓

Monitor Access & Logs

↓

Adjust Perimeter as Needed

↓

End

This flow shows how you create a secure boundary around your cloud resources by defining a perimeter, selecting services, adding resources, enforcing restrictions, monitoring, and adjusting.

Execution Sample

GCP

gcloud access-context-manager perimeters create perimeter-1 \
  --title="My Perimeter" \
  --resources=projects/123456789 \
  --restricted-services=storage.googleapis.com,bigquery.googleapis.com

This command creates a service perimeter named 'perimeter-1' that restricts access to Storage and BigQuery for the specified project.

Process Table

Step	Action	Input/Command	Result/State Change
1	Define Perimeter	Create perimeter-1 with title 'My Perimeter'	Perimeter 'perimeter-1' created
2	Select Services	Restrict services: storage.googleapis.com, bigquery.googleapis.com	Services restricted inside perimeter
3	Add Resources	Add project 123456789 to perimeter	Project added to perimeter
4	Enforce Restrictions	Apply perimeter policies	Access to restricted services limited to perimeter
5	Monitor Access	Check audit logs for perimeter access	Logs show allowed and denied access attempts
6	Adjust Perimeter	Add another project or service	Perimeter updated with new resources
7	Exit	No more changes	Perimeter enforces access controls as configured

💡 No more perimeter changes; access controls active

Status Tracker

Variable	Start	After Step 1	After Step 2	After Step 3	After Step 4	After Step 5	After Step 6	Final
Perimeter Name	None	perimeter-1	perimeter-1	perimeter-1	perimeter-1	perimeter-1	perimeter-1	perimeter-1
Restricted Services	None	None	storage.googleapis.com, bigquery.googleapis.com	storage.googleapis.com, bigquery.googleapis.com	storage.googleapis.com, bigquery.googleapis.com	storage.googleapis.com, bigquery.googleapis.com	storage.googleapis.com, bigquery.googleapis.com	storage.googleapis.com, bigquery.googleapis.com
Resources in Perimeter	None	None	None	projects/123456789	projects/123456789	projects/123456789	projects/123456789, new-project	projects/123456789, new-project
Access Enforcement	Off	Off	Off	On	On	On	On	On
Audit Logs Checked	No	No	No	No	Yes	Yes	Yes	Yes

Key Moments - 3 Insights

Why can't resources outside the perimeter access restricted services?

Can you add more projects after creating the perimeter?

What happens if you don't specify restricted services?

Visual Quiz - 3 Questions

Test your understanding

Look at the execution_table at step 3, what resource is added to the perimeter?

Astorage.googleapis.com

Bperimeter-1

Cprojects/123456789

Dbigquery.googleapis.com

Concept Snapshot

VPC Service Controls create a secure boundary called a perimeter.
You define which Google Cloud services are restricted inside it.
Add projects or resources to the perimeter to protect them.
Access outside the perimeter to restricted services is blocked.
Monitor access with audit logs and adjust perimeter as needed.

Full Transcript

VPC Service Controls help protect your cloud resources by creating a secure perimeter. You start by defining a perimeter and giving it a name. Then, you select which Google Cloud services should be restricted inside this perimeter, like Storage or BigQuery. Next, you add your projects or resources to this perimeter. Once set, the perimeter enforces access restrictions, blocking access to restricted services from outside resources. You can monitor access attempts using audit logs to see allowed or denied requests. If needed, you can adjust the perimeter by adding more projects or services. This process ensures your sensitive data stays protected within your defined boundary.